Introduction

This article shows how to set up a quick, transient container using HashiCorp Vault. This is useful for demos and testing.  It includes steps to run a server, how to pull the vault cli, how to use that to write secrets, and some sample ACL policies for vault.


Vault Server

Here is a quick demo vault server for development:

docker run -d -p 8200:8200 --restart=always --hostname vault --name vault sjourdan/vault


Vault Client

This snippet will download the vault client, unzip it, place it on a path, add to .bashrc, and then reload .bashrc.

Initially you can browse to https://www.vaultproject.io/downloads for the latest client for your desktop/client platform - i.e vault_1.5.4_linux_amd64.zip


unzip vault_1.5.4_linux_amd64.zip.zip
sudo mv vault /usr/local/bin/
echo "export VAULT_ADDR='http://localhost:8200'" >> $HOME/.bashrc
. $HOME/.bashrc


On Mac OS X you can install the vault cli tool using brew.


$ brew install vault-cli


You will need to define your vault server as an environment variable and login to your vault server

$ export VAULT_ADDR=<http://YourVaultFQDN_or_IP>:8200



You can script this or allocate it to a shell alias/function

$ vault login -method=userpass \
username=<vault_ID> 


The Vault cli will prompt you for your password if you don't specify password=<yourPassword> and result in


$ vault login -method=userpass  username=aqua
Password (will be hidden):
Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.


Key                    Value
---                    -----
token                  s.u06gYrmIkdQkR38MjZ4TzBRx
token_accessor         ngO4qeN4dmpo1UV57RE7OVQG
token_duration         10h
token_renewable        true
token_policies         ["default" "kv" "kv-v2" "test"]
identity_policies      []
policies               ["default" "kv" "kv-v2" "test"]
token_meta_username    aqua


To list vault secrets within vault


$ vault list kv
Keys
----
AndreasSecret
data/
kv/
manasi
poshfrocks
test
 
$ vault list kv/data
Keys
----
DansTest
something-dan


$ vault read kv/data/DansTest
Key                 Value
---                 -----
refresh_interval    10h
data                map[something:1q2w0o9i8u]

Vault Example Secrets

These examples create a number of secrets at different sub-paths for use in Aqua.


Grab the root token from the vault container logs, and use it to log in.  (This assumes that you have set the VAULT_ADDR variable above):

export root_token=$(docker logs vault 2>1 | grep "Root Token" | cut -d " " -f3)
# login to vault
vault login $root_token
# Write some secrets
vault write secret/aqua/dustin/secret1 value=secret1value
vault write secret/aqua/dustin/secret2 value=secret2value


Vault Policy examples

load vault client, unzip, pl


Read

This will allow you to read secrets, but not to write to them.

path "secret/aqua/*" {
capabilities = ["read", "list"]
}
path "auth/token/lookup-self" {
  capabilities = ["read", "list"]
}

Assuming this is in aqua-read.hcl, you can add a policy as follows:

vault policy-write aqua-read aqua-read.hcl

Create a token:

vault token-create -policy="aqua-read"


Output:
Key             Value
---             -----
token           7fea1f48-6e9d-34ff-a5b7-cbd13b0c8f26
token_accessor  31a48228-adcf-91eb-b81f-7cfad5404b64
token_duration  768h0m0s
token_renewable true
token_policies  [aqua-read default]



Write

This allows you to both read and update secrets.


path "secret/aqua/*" {
capabilities = ["read", "list", "update"]
}
path "auth/token/lookup-self" {
  capabilities = ["read", "list"]
}


Assuming this is in aqua-write.hcl, you can add this policy:

vault policy-write aqua-write aqua-write.hcl


Create a token associated with that policy as follows:


vault token-create -policy="aqua-write"
Key             Value
---             -----
token           6f8ec542-8174-0627-9920-ca59665a2ca4
token_accessor  cfd30f51-00b6-04e0-d233-d221858ce449
token_duration  768h0m0s
token_renewable true
token_policies  [aqua-write default]